Drafting an Enforceable NDA for Your Startup

Drafting an Enforceable NDA for Your Startup: Why Protecting Your Source Code Requires More Than a Generic Template (Philippine Law)

Introduction: why “source code + template NDA” is a risky mix

For startups, source code is often the product, the competitive edge, and the company’s most valuable confidential information. Yet many founders rely on generic NDA templates that are silent on issues that determine enforceability and remedies in the Philippines: who may access the code, how it is stored, what counts as “confidential,” what disclosures are compelled by law or court process, and what happens when the information is mixed with personal data, third-party code, or corporate records.

Under Philippine law, NDAs are generally enforceable as contracts so long as their terms are not contrary to law, morals, good customs, public order, or public policy, and are observed in good faith (Civil Code principles). The challenge is drafting the NDA so it fits real startup workflows (Git repositories, cloud logs, contractors, investors, code reviews) and so it remains enforceable when tested in litigation.

Governing Philippine legal sources relevant to NDAs for source code

Civil law on contracts (freedom to stipulate; enforce in good faith). Philippine doctrine recognizes that parties may agree on restrictive covenants and confidentiality obligations, provided the restrictions are reasonable and not against public policy. In employment settings, the Supreme Court has upheld restrictive clauses where necessary to protect confidential business information (Tiu v. Platinum Plans Phil., Inc., 2007).

Trade secret and privilege against compulsory disclosure. In litigation, a court generally will not compel disclosure of trade secrets absent a compelling and indispensable reason. The Supreme Court recognized formulations and confidential business information as protected trade secrets and privileged against compelled disclosure (Air Philippines Corporation v. Pennswell, Inc., 2007). This doctrine supports well-drafted NDAs, but it does not replace them: an NDA clarifies what the parties treated as confidential, the permitted uses, and the protective measures expected.

Intellectual Property Code concepts and technology transfer rules. The Intellectual Property Code defines intellectual property rights broadly and also regulates “technology transfer arrangements,” including licensing and assignment of IP and software in certain contexts (Intellectual Property Code of the Philippines, 1997). If your NDA is bundled with licensing or development provisions, you must avoid prohibited clauses and include mandatory provisions where applicable; otherwise, parts of the agreement may be unenforceable (Intellectual Property Code of the Philippines, 1997).

Electronic evidence and confidentiality for electronic files. For startups that store source code digitally, the Electronic Commerce Act supports the validity of electronic documents and contains rules on lawful access and confidentiality of electronic files and keys (Electronic Commerce Act, 2000). This helps when NDAs are executed electronically and when disputes involve repository access, credentials, and logs.

Corporate record inspection and confidentiality context. The Revised Corporation Code recognizes stockholder/director inspection rights but also emphasizes confidentiality and disallows inspection for competitors or persons representing competitors; abuse may be penalized (Revised Corporation Code of the Philippines, 2019). If you share code or security documentation with directors, advisors, or investor nominees, your NDA and internal policies should be consistent with these confidentiality expectations.

Why source code protection needs more than a generic NDA

Source code has multiple legal “layers.” Code can be (a) a trade secret (confidential know-how), (b) a copyrightable work, (c) a bundle of third-party open-source components with license duties, and (d) a system that processes personal data. A template NDA usually treats “Confidential Information” as a single bucket and ignores the separate compliance and remedy issues for each layer.

Generic templates often fail on definition, scope, and proof. Litigation risk commonly turns on whether the information was clearly identified as confidential, whether the recipient had a legitimate need to access it, whether the disclosing party used reasonable safeguards, and whether the obligations were reasonably limited. The Supreme Court’s approach to restrictive clauses favors reasonableness and protection of legitimate interests (Tiu v. Platinum Plans Phil., Inc., 2007).

Templates rarely address compelled disclosure and court handling. Even if trade secrets are protected, disputes can involve discovery requests, subpoenas, or court-ordered production. Trade secrets are generally protected from compulsory disclosure unless there is a compelling and indispensable reason (Air Philippines Corporation v. Pennswell, Inc., 2007), but you still want NDA provisions on notice, cooperation, protective orders, and redaction procedures.

Essential NDA building blocks for enforceability (with source-code-specific drafting)

1) Parties, capacity, and who is bound

Bind the real access holders. Startups often share code with employees, contractors, “fractional” CTOs, agencies, interns, advisors, and potential investors. A frequent failure is signing an NDA with an agency entity while the individual developers who access the repository are not expressly bound.

Suggested drafting approach. Require the recipient to ensure that its directors, officers, employees, contractors, and representatives who will access source code are bound by written confidentiality obligations at least as strict as the NDA. This aligns with the reality that access is often delegated.

2) Definition of “Confidential Information” tailored to source code

Define confidential information by category, not only by a general sentence. For source code NDAs, include:

  • Source code and object code (including branches, forks, commit history, build scripts, and configuration files).
  • Architecture and security materials (threat models, API keys handling, IAM policies, secrets management design).
  • DevOps and deployment data (CI/CD pipelines, infrastructure-as-code, cloud topology).
  • Product and business information (roadmap, pricing logic, customer lists, vendor terms), if relevant.

Marking and identification. Generic templates often require marking everything “CONFIDENTIAL,” which is unrealistic in code repositories. Use a dual approach: (a) treat specified categories as confidential by default, and (b) allow written confirmation for disclosures made in meetings or demos within a set period.

3) Purpose limitation and permitted uses

Limit use to a stated purpose. For example: evaluation for investment, a proof-of-concept engagement, or software development services. Make it clear the recipient may use the code only to accomplish the defined purpose and not for competitive development, benchmarking, or training datasets.

This supports reasonableness and aligns with the Supreme Court’s acceptance of restrictions that fairly protect legitimate business interests (Tiu v. Platinum Plans Phil., Inc., 2007).

4) Access control, security standards, and handling rules (especially for repositories)

An NDA for source code should read like a minimum security protocol. Consider clauses that require:

  • Need-to-know access and least privilege (only named accounts, no shared credentials).
  • Repository controls (2FA, IP allowlisting where feasible, protected branches, code review rules).
  • No local copies unless approved; if allowed, encryption-at-rest and device security.
  • Logging and audit cooperation in case of suspected breach.

These provisions reduce disputes about whether the startup treated the information as confidential, and they help establish breach and damages.

5) Exclusions from confidentiality (avoid overreach)

Reasonable exclusions reduce enforceability risk. Typical exclusions include information that is:

  • public through no fault of the recipient;
  • already known to the recipient with proof;
  • independently developed without use of the confidential information; or
  • rightfully obtained from a third party without breach.

These are standard and reduce arguments that the NDA is oppressive or vague.

6) Term and survival (duration that fits software realities)

Templates often use “2 years” without thinking. For source code, you may justify longer confidentiality survival because the competitive value can extend beyond a short term, but it must still be reasonable. For example, confidentiality survives for several years, or until the information becomes public without breach, whichever occurs first.

7) Ownership, no license, and IP hygiene (NDA vs. IP assignment)

Clarify that disclosure does not grant rights. State that no license is granted except what is strictly necessary for the stated purpose. If the engagement involves development, you may need a separate IP assignment or work-for-hire style provision; otherwise, an NDA alone may not secure ownership.

If your NDA includes licensing, assignment, or technology transfer elements, confirm compliance with relevant Intellectual Property Code provisions on technology transfer arrangements and mandatory provisions, because non-conforming clauses can affect enforceability (Intellectual Property Code of the Philippines, 1997).

8) Non-disclosure, non-use, and non-circumvention (be careful with reasonableness)

Non-use is often as important as non-disclosure. For source code, misuse can occur even without publication (e.g., recreating features, copying architecture). Draft explicit non-use language.

Non-compete style restrictions must be limited. While Philippine jurisprudence upholds restrictions that are reasonable as to time, trade, and place and necessary to protect the employer or principal’s interests (Tiu v. Platinum Plans Phil., Inc., 2007), overbroad restrictions are vulnerable. For investor NDAs, avoid sweeping “cannot invest in any competitor worldwide for five years” unless narrowly justified.

9) Compelled disclosure, protective measures, and litigation posture

Even with trade secret protection recognized by the Supreme Court (Air Philippines Corporation v. Pennswell, Inc., 2007), your NDA should require:

  • prompt notice if the recipient receives a subpoena, court order, or government request;
  • cooperation in seeking protective orders and confidential treatment; and
  • limited disclosure (only what is required, with redactions where permitted).

10) Electronic execution, evidence, and repository logs

Use an NDA that anticipates electronic signatures and electronic records. The Electronic Commerce Act recognizes the validity of electronic data messages and includes rules on lawful access and confidentiality of electronic files and electronic keys (Electronic Commerce Act, 2000). This supports enforcing NDAs signed via e-sign platforms and helps frame confidentiality obligations over access credentials and encrypted materials.

11) Remedies: injunctive relief, damages, and return/destruction

Injunctive relief language. Provide that breach may cause irreparable harm and that the startup may seek injunctive relief in addition to damages, subject to court rules. This does not guarantee an injunction, but it helps support the request.

Return/destruction tailored to code. Require the recipient to (a) revoke repository access, (b) delete local clones and backups, (c) certify deletion, and (d) preserve one archival copy only if required by law, subject to continuing confidentiality.

Common startup scenarios and how the NDA should respond

Scenario A: hiring freelance developers or an agency

Risk: individual devs keep copies of the repo, reuse modules for other clients, or store credentials in personal devices.

NDA response: bind representatives, define “source code” broadly, set security controls (2FA, no shared accounts), prohibit reuse, and require deletion certification. If developers will create code, use a separate IP assignment or development agreement; an NDA alone is not an ownership transfer (based on internal knowledge of Philippine law).

Scenario B: pitching to investors and accelerators

Risk: disclosure of architecture and roadmap; the investor has portfolio companies in the same space.

NDA response: strong purpose limitation, “competitor” definition, limited access, and clear exclusions. Be mindful that some investors refuse NDAs; if so, disclose only high-level materials and keep source access gated (based on internal knowledge of Philippine law).

Scenario C: sharing code with directors, advisors, or corporate stakeholders

Risk: inspection or access requests become broad; information leaks to competitors.

NDA response: align disclosures with confidentiality expectations and limits. The Revised Corporation Code recognizes inspection rights but also restricts inspection by competitors and requires confidentiality, with penalties for abuse (Revised Corporation Code of the Philippines, 2019).

Drafting checklist: provisions that tend to matter most for source code

Clause areaWhat to include for source codeWhy it matters in disputes
Definition of Confidential InformationSource/object code, commit history, configs, security docs, DevOps materialsReduces “not confidential” defenses; clarifies scope
Purpose + non-useUse only for stated evaluation/service; ban competitive development and reverse engineeringAddresses misuse even without disclosure
Access + security measures2FA, least privilege, named users, no shared accounts, encryption, logsShows reasonable efforts; supports breach proof
Compelled disclosureNotice, cooperation, protective orders, minimal disclosureComplements trade secret privilege doctrine (Air Philippines v. Pennswell, 2007)
Term and survivalSurvival tied to confidentiality status; longer for code where justifiedReduces claims of unreasonable restraint

Frequent drafting mistakes that weaken enforcement

  • Overbroad restrictions that resemble an unlimited non-compete without a legitimate, narrowly defined interest (see reasonableness approach in Tiu v. Platinum Plans Phil., Inc., 2007).
  • Undefined “confidential information” that does not clearly include repository artifacts (branches, CI/CD scripts, configs).
  • No non-use clause, leaving only “do not disclose,” which may not capture competitive copying.
  • No security handling rules, making it harder to prove the recipient failed expected safeguards.
  • NDA used as an IP transfer document without separate assignment/licensing provisions and compliance checks under IP rules (Intellectual Property Code of the Philippines, 1997).

Final observations and recommendations

For Philippine startups, an enforceable NDA for source code is not only about signing a document; it is about drafting clauses that match how code is actually accessed, copied, and reused. Supreme Court doctrine supports reasonable restrictions to protect confidential business information (Tiu v. Platinum Plans Phil., Inc., 2007) and recognizes trade secrets as privileged against compelled disclosure absent compelling need (Air Philippines Corporation v. Pennswell, Inc., 2007). These doctrines work best when your NDA precisely identifies what you are protecting and the safeguards expected.

For implementation, use an NDA that: (1) defines source code broadly, (2) limits use to a clear purpose, (3) imposes repository-grade security duties, (4) includes compelled-disclosure and litigation handling terms, and (5) is paired with the correct IP agreements when development or licensing is involved, mindful of the Intellectual Property Code’s technology transfer rules (Intellectual Property Code of the Philippines, 1997). Where corporate stakeholders are involved, keep confidentiality duties consistent with statutory expectations under the Revised Corporation Code (Revised Corporation Code of the Philippines, 2019). For electronic signing and digital evidence, align with the Electronic Commerce Act (Electronic Commerce Act, 2000).

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.

SEARCH